Ansible with multiple vault ID's
In our work environment we have role-based access for passwords (of course). But as we deploy all systems with Ansible, we could end up that someone with only deploy permission ends up with access to all passwords. It’s obvious that we don’t want that, so I started checking in to Ansible’s ability to have multiple vault passwords.
Ansible Vault IDs
Starting with Ansible 2.4 and above, vault IDs are supported.
Vault IDs help in encrypting different files with different passwords to be referenced inside a playbook. Prior to Ansible 2.4, only one vault password could be used in each Ansible run, forcing to encrypt all files using the same vault password.
First and foremost, Vault IDs need to be pre-created and referenced (best practice) inside your ansible.cfg file
[defaults]
vault_identity_list = apple@prompt, pear@promptIn this example there are two vault IDs, called apple and pear and in this configuration Ansible will prompt for the needed passwords.
It’s also possible to supply the vault password files, like
[defaults]
vault_identity_list = apple@~/.vault_apple, pear@~/.vault_pear
